Cool sandboxing android apps with SELinux

many apps require too much permissions that they do not need to function

most apps needs internet connection to talk to some API (let's say updates checking or notifications ..etc) and need to access SD Card (for buffering/caching)

it would be great if the OS is structured in a way so that we can grant apps access only to specific directories that only belong to it (think of browser cache, youtube buffer ...) and when the user promptly and consciously want to pass files (eg. upload file throw a web browser) they get stagged/promoted/linked to that area accessible by the app.

till that happens, we have SELinux in many android phones can we use it to sandbox apps (the idea is there since 2009 see

can we define a policy that
1. those apps are not allowed to access my gallery directory (DCIM)
2. those apps are allowed to access my gallery but are not allowed to use network connection

in desktop linux it was successfully applied (here it was applied on firefox